Students Toil as Spyware Hunters

Share

Students Toil as Spyware Hunters

Jay Cross Jr. and Christopher Carlino, two high school seniors from Stamford, Connecticut, decided to track down the creators behind Xupiter spyware and bring them to justice. The teenagers are also working to organize the Internet Privacy Conservation Council, which they say will serve as an information resource on deceptive and privacy-compromising Internet practices. Reader's advisory: Wired News has been unable to confirm some sources for a number of stories written by this author. If you have any information about sources cited in this article, please send an e-mail to sourceinfo[AT]wired.com.

Outraged by the damage inflicted by a fast-spreading spyware application, a pair of high school students team up to fight back.

Jay Cross Jr. and Christopher Carlino, two high school seniors from Stamford, Connecticut, are determined to track down the creators of Xupiter spyware software and take them to court.

Carlino and Cross recently signed on as participants in a pending class action suit against Xupiter, joining thousands of other disgruntled users whose machines were vandalized by the spyware.

But the two teenagers weren't content to simply join the suit. Carlino, 17, and Cross, 16, have become the primary researchers for the case, tirelessly ferreting out information about the creators of Xupiter and the havoc their software wreaks on computers.

"In the greater scheme of things Xupiter may not seem like a big deal, but we believe that people should care about the little everyday injustices," said Cross. "Little problems can quickly turn into big issues."

Not that anyone who has had the misfortune of meeting Xupiter would classify it as a little problem.

Xupiter attaches itself to Internet Explorer's toolbar. Once active in a system, it periodically changes users' designated homepages to Xupiter.com, redirects all searches to Xupiter's site, and blocks any attempts to restore the original browser settings.

Xupiter also attempts to download updates each time an affected computer boots up, and has been blamed for causing system crashes. Several versions of Xupiter appear to download other programs, such as gambling games, which later appear in pop-up windows.

Xupiter arrives in some peer-to-peer programs, and is also offered for download from an ever-changing array of websites. But a significant number of users claim they never gave permission before the application was installed on their machines. And the program doesn't allow itself to be easily uninstalled.

As of late last month Xupiter.com, the spyware's mother ship, appeared to be inactive. But various mutations of Xupiter, lurking on sites such as xjupiter.com and orbitexplorer.com, continue to infest the computers of unwary users, as does Xupiter itself.

"Both of us became infected with Xupiter about a year or so ago," said Carlino. "We neither agreed to nor authorized an installation of this software; we just found it on our PCs. We were furious and frustrated. After trying for hours to manually delete Xupiter – a difficult task for even PC experts – we turned to Web forums for advice."

At one forum they found out how to pluck Xupiter from their computers and heard about the pending class action suit. They quickly signed on as participants and volunteered to do research in order to reduce legal costs.

"Judging by the 25,000-some odd posts on SpywareInfo alone, I'd say quite a few people are pretty ticked off about Xupiter," said Cross. "And we've been told that hundreds of people every week want to get in on the lawsuit."

The suit participants are now looking for a legal firm to represent them, and expect to file the suit within a week.

Cross and Carlino had no experience in legal research before embarking on their Xupiter odyssey, but after just a few weeks of work they've managed to speak to both of Xupiter's owners – the porn- and spam-peddling father-and-son team of Saeid and Daniel Yomtobian.

Both Yomtobians are experienced in devising innovative ways to use the Internet to foist their business on unwary users and ducking media and consumers' calls requesting comment on their activities. Contacting the twosome is considered quite a feat, and most news stories about Xupiter include the line "the Yomtobians did not return calls or e-mails requesting comment."

It wasn't an enjoyable experience for the young researchers.

"In a telephone call with Saeid, we were blasted with profanity so terrible that we don't want to repeat it," said Cross.

"As far as Dan Yomtobian goes, we had one real phone communication with this man, who said he was not available for comment, and then hung up on us as we were giving him contact information for his legal counsel to use. This was our last talk with him before he cancelled his cellular telephone number."

Cross and Carlino have also managed to find a "new" Xupiter.com, which is still alive and well despite the sanctimonious message to the contrary on the primary Xupiter.com site. They've also discovered some interesting ties between Xupiter and other Web directory sites, which they say cannot be made public until after the class action suit is filed.

Right now, the Xupiter lawsuit is Cross and Carlino's primary project. But the two have also been working to organize the Internet Privacy Conservation Council, which they say will serve as an information resource on deceptive, privacy-compromising Internet advertising practices and will be a vehicle for people to devise ways to battle against such schemes.

The two said they have big plans for the IPCC, including a privacy offender database, where users can check a dynamically updated database of which companies and individuals are invading their privacy and rights on any particular day. The site is expected to go live by the end of October.

"These kids are just so cool," said Bob Franklin, a systems administrator at a New York brokerage firm who has plucked Xupiter off at least two dozen computers. "I've seen their posts on various tech support forums, and I think it's great that teenagers care so much about keeping the Internet alive and well and free of all these underhanded moneymaking schemes."

Carlino said his parents didn't take the lawsuit, or his IPCC plans, seriously until very recently.

"It wasn't a huge deal to them. They didn't see it as a worthwhile goal or even something realistic, and they'd laugh when I'd say I was planning on suing Xupiter," said Carlino. "Only now that the media is getting interested are they beginning to take things seriously."

Cross' parents reacted favorably, but were also surprised that the two teenagers were so incensed about the Xupiter issue. Their classmates were also curious about why Cross and Carlino had gotten so involved in Internet privacy issues.

"Our friends would ask us why we cared, and why we 'bothered' people, and we'd always answer that we were standing up for what we feel is right, and we encouraged them to do the same in a similar situation," said Cross.

Cross and Carlino plan to study Web design and multimedia after they finish high school. They are also working on a book on what they believe are the failures of the public school system.

Until the IPCC site goes live, Cross and Carlino can be contacted at xupiterguys929@yahoo.com.